Tuebora Blog

Communicate Your IAM Intent Directly to You Applications

17

May

The goals of any Identity and Access Management (IAM) program are to support an organization’s mission and activities by ensuring that access to data in the organization is granted to the right person at the right time and removed when that access is no longer needed. Identity management teams are challenged to perform this function in the most efficient way possible within the organization’s policies and governing legal requirements. There are three keys to the ongoing success of an identity and access management program.

The first key is having access to complete and correct data for analysis. Many organizations have over 100 proprietary and off-the-shelf applications residing on-premise and in the Cloud. Employees need access to these applications from multiple devices and through multiple access channels. This represents an amazing amount of provisioning complexity, as a good portion of needed access is being provisioned outside of rule-based, provisioning systems. The result is extended cycles for access allocation and revocation which negatively affect morale, productivity, and enterprise security.

The second key is having the ability to analyze patterns looking for unusual and improper access. Large volumes of access log data, in a variety of different formats, are being generated and sent connectors that collect and normalize this data. While some vendors have begun to standardize on SCIM as a common format, most have not. This means allocating staff time to ongoing connector life cycle support. Connector development is usually not a core competency of the IAM team and the activity steals time from the higher value activity of analysis. Real-time analysis of the data as it comes in is too much to ask of personnel. Some form of rudimentary correlation is used to help analysts understand the extent of a problem. The dilemma is that the pace of change for the business can mean many false-positives as employees change positions, responsibilities, and locations.

How do you know when you need to add more personnel, change your IAM processes, or IAM product vendors? The third key is having a solution to this problem that is typically faced by IAM professionals. Having established benchmarks for measuring how flawless a team’s IAM processes and tools are in all phases of the IAM lifecycle is crucial for business performance and competitiveness. However, how do you start measuring if your IAM program is already running flat-out? A manual fishing expedition for orphaned accounts is almost impossible to do. Additionally, understanding who has access that they no longer need or should no longer have can mean weeks of analysis. Finally, once one-off assignments of access are made outside of normal provisioning systems, they can become a hard habit to break. So, the question becomes, how do you gain the visibility needed to keep up with the speed of change required, while reducing risk to the organization?

By employing a machine learning platform, connectors that automatically provide SCIM-based field mapping, and tools to continuously baseline the environment, IAM data can be analyzed in light of specific behaviors. Provisioning behaviors can be continuously reviewed in historical context by comparing what access someone is initially granted and what additional access departmental peers are granted over time. This can illuminate ways to bring more efficiency to the process.

Continuous examination of what access employees use and stop using over time can reveal what access should be terminated or what access should be temporarily granted and re-issued as needed. Machine learning enables faster, more efficient IAM processes and supports metrics for continuous improvement.